CVE-2026-48922
Published: 27 May 2026
Summary
CVE-2026-48922 is a high-severity Improper Input Validation (CWE-20) vulnerability in Jenkins Credentials Binding. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability affects the Jenkins Credentials Binding Plugin version 720.v3f6decef43ea_ and earlier. It stems from improper sanitization of file names associated with file and zip file credentials, classified under CWE-20, which permits path traversal to unintended filesystem locations. The issue carries a CVSS 3.1 score of 7.5.
Attackers able to supply credentials to a Jenkins job can exploit the flaw to write arbitrary files on the node filesystem. When Jenkins permits low-privileged users to configure file or zip file credentials for jobs executing on the built-in node, successful exploitation can result in remote code execution.
The Jenkins security advisory at https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3790 addresses the issue and outlines mitigation steps for affected installations. The associated EPSS score remains low and unchanged at 0.0177 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-32513
Vulnerability details
Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can…
more
lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write via unsanitized credential filenames in public-facing Jenkins plugin directly enables RCE exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.